The first Microsoft patch Tuesday of 2020 contained fixes for CVE-2020-0601, a vulnerability discovered by the United States’ National Security Agency (NSA) that affects how cryptographic certificates are verified by one of the core cryptography libraries in Windows.
Dubbed CurveBall or “Chain of Fools,” an attacker exploiting this vulnerability could potentially create their own cryptographic certificates that appear to originate from a legitimate certificate that is fully trusted by Windows by default.
Monday the 13th of January Brian Krebs published blog that he had sources telling him that in the next 24 hours, Microsoft would release software updates that would fix a vulnerability in the Windows Crypto API.
True to his word, on the 14th of January, NSA released a cyber security advisory that disclosed a vulnerability in the crypto API. This vulnerability allowed an attacker to defeat the certificate validation in Windows 10 and it would affect TLS, code signing.
Less than 24 hours later, security researcher Salim Rashid published a proof of concept on his twitter account showing that he successfully “rick rolled” github.com and nsa.gov using a custom-made CA certificate.
Shortly after this, Ollypwn aka. Oliver Lyak, a security researcher from Denmark, published a proof of concept exploit on GitHub for anyone to use. And what struck the world was that the exploit consisted of less than 10 rows of code and anyone could do it.
For the rest of this blog post I’m going to try to explain how this vulnerability works on a very high level, and point out why this exploit is extremely powerful.
CA Certificate consists of a signing mechanism, where the certificate authority “vouch” that you are who you claim to be.
These types of certificates are used to sign other certificates, as a form of trust. You have a certificate and you let a well-known certificate authority (CA) sign your certificate. This s used to encrypt your traffic from your device to the destination, appearing as a padlock in the corner of your browser when using the internet.
It shoud be noted at this point that the padlock in the browser does not mean the website is safe, as certificates can be purchased extremely cheaply if not free for 90 day free trials.
Crypt32 verifies how CA certificates in are cached in windows, it works by going through all cached certificates and checks if the public key provided CA certificate matches any of the cached CA certificates in the public keys.
The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.
Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
Examples where validation of trust may be impacted include:
Signed files and emails
Signed executable code launched as user-mode processes
Rapid adoption of the patch is the only known mitigation at this time. The patch added a call to the new function ChainComparePublicKeyParametersAndBytes(), replacing the simple comparison between the issuer and trusted root public key hash, which compares the public key parameters and bytes between the trusted root certificate and the certificate that was actually used to verify the signature on the end certificate. If that comparison fails, CryptVerifySignatureEx() is called to re-verify the signature on the end certificate using the actual trusted root certificate, parameters and all, catching any crafted root certificates with cryptographic parameters that differ from those on the actual trusted certificate.